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SUBJECT:  OSCE/FSC:  DAY  ONE — OSCE  WORKSHOP  ON  A 

COMPREHENSIVE  OSCE  APPROACH  TO  ENHANCING  CYBERSECURITY 

1.1.  (U)  NOTE:  This  is  the  first  of  two  cables  reporting  the 

March  17-18  OSCE  Workshop  on  a Comprehensive  OSCE  Approach  to 
Enhancing  Cybersecurity . END  NOTE. 

112.  (SBU)  Summary:  More  than  200  civil  and  military 

representatives  gathered  in  Vienna,  March  17  ) 18,  in  the 
first  wide-scale  FSC  effort  to  discuss  cybersecurity . This 
was  one  of  the  more  broadly  attended  workshops  held  under  the 
auspices  of  the  OSCE,  with  reps  in  attendance  from  Egypt, 

Japan,  the  Arab  League,  and  NATO,  among  others.  Their  key 
aim  was  to  identify  ways  to  cooperate  on  enhancing 
cybersecurity  and  examine  the  potential  future  role  of  the 
OSCE  in  addressing  this  global  problem.  Washington  reps,  led 
by  State/INR  Michele  Markoff,  also  consisted  of  reps  from 
State/EEB,  DHS,  and  DOD . 

1.3 . (SBU)  Initially  considered  by  the  U.S.  a risky  topic  for 
the  FSC,  the  workshop  proved  a successful  endeavor  for 
achieving  U.S.  objectives,  which  were  to  prevent  the 
militarization  of  cyber  security,  refrain  from  engaging  in 
discussions  on  constraining  state  capabilities,  and  keeping 
the  focus  on  defensive  remedies  to  ensure  cyber  security. 

There  was  much  support  for  the  U.S.  position  to  focus  on 
defensive  strategies  and  for  a U.S.  recommendation  that  OSCE 
participating  States  conduct  a self-survey  to  identify  gaps 
and  capacities  in  order  to  later  devise  an  approach  to  cyber 
resiliency.  There  was  very  little  support  for  Russia's 
description  of  cyber  security  as  an  "information  arms  race" 
that  required  a new  international  treaty  instrument. 

Russia's  proposal  to  begin  by  defining  relevant  terms  and 
concepts  also  gained  little  traction.  Russia  was  alone  in 
its  opposition  to  the  Council  of  Europe  Convention  on  Cyber 
Crime.  Turkey  reported  that  inconsistencies  with  its  own 
national  legislation  had  kept  it  from  adopting  the 
convention,  but  asked  USdel  on  the  margins  of  the  workshop 
for  assistance  in  reconciling  this  obstacle. 


14.  (SBU)  There  was  strong  support  for  U.S.  expert 
participation  from  Washington  in  the  workshop.  Several 
delegations  praised  the  efforts  of  the  U.S.  panelists 
(State/INR,  DOD,  and  DHS  reps)  and  pointed  out  the  U.S.  rep's 
excellent  job  of  summarizing  two  days  of  discussion  in  the 
last  working  session.  Several  delegations  were  eager  to 
follow  up  with  the  U.S.  head  of  del  after  her  presentation. 

EU  reps  invited  U.S.  participation/expertise  to  an  informal 
ministerial  conference  on  critical  information  infrastructure 
protection  (CUP),  to  be  held  April  27-28  in  Tallinn.  A 
number  of  possible  recommendations  for  follow-up  activities 
were  proposed.  We  would  welcome  Washington  guidance  on  how 
it  envisions  follow-up  activity  in  Vienna. 

15.  (SBU)  COMMENT:  If  the  USG  wishes  to  move  forward  on 
cyber  security  in  the  OSCE,  a new  CSBM  introduced  by  the  U.S. 
and  close  Allies  on  cyber  security  may  be  in  U.S.  interest 
for  three  reasons.  First,  this  could  advance  the  U.S. 
approach  with  the  56  participating  States  (pS),  over  half  of 
whom  are  not  in  NATO.  Second,  this  would  proactively  offer  a 
positive  alternative  to  displace  unhelpful  Russian  proposals 
and  prevent  Russian  views  from  being  the  center  of  attention. 

Third,  the  U.S.  would  assert  leadership.  Such  a CSBM  could 
be  centered,  for  instance,  around  the  6-7  well-received 
recommendations  the  USG  panelist  made  at  the  end  of  the 
workshop  or  the  11  agreed  points  on  cyber  security  already 
agreed  within  the  G-8.  By  moving  forward  with  one  of  the 
recommendations  that  were  also  proposed  in  the  non-paper 
authored  by  Austria,  Estonia,  and  Lithuania,  the  U.S.  could 
enlist  one  or  all  of  these  countries  as  co-leads  of  the 
action.  END  COMMENT. 

END  SUMMARY. 
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Opening  Session:  OSCE  Takes  on  Cyber  security 


1.6 . (U)  Greek  Chairman  in  Office  (Ambassador  Mara  Marinaki) 
opened  the  March  17  -18  OSCE  Workshop  on  a Comprehensive  OSCE 
Approach  to  Enhancing  Cyber  Security  by  saying  it  was  the 
first  wide-scale  OSCE  effort  to  discuss  cyber  security, 
building  on  previous  OSCE  efforts  to  combat  terrorism  on  the 
Internet,  exchange  information,  and  discuss  concrete  steps 
for  a way  forward.  The  Greek  CiO  pointed  out,  in  particular, 
a jointly  sponsored  non-paper  authored  by  Austria,  Estonia, 
and  Lithuania  ( FSC . DEL/33/09 ) , which  lays  out  specific 
concerns  related  to  cyber  security  and  a possible  way  forward 
for  the  OSCE  to  address  those  concerns.  The  OSCE  Secretary 
General  Marc  Perrin  de  Brichambaut  commented  that  the  holding 
of  this  event  demonstrated  how  the  OSCE  was  seeking  to  remain 
in  step  with  modern-day  challenges.  Cyber  security  as  a 
theme  also  showed  continued  relevance  of  the  OSCE ' s signature 
concern  of  "comprehensive  security."  The  SYG  hoped  the 
workshop  could  explore  what  kind  of  comprehensive  approach 
the  OSCE  could  craft  and  how  could  it  help  participating 
States . He  said  that  OSCE  pS  had  been  working  to  create  a 
mandate  to  enhance  cyber  security  by  (1)  combating  terrorist 
use  of  the  Internet  (MC. DEC/3/04  and  MC . DEC/7/06 ) ; (2) 

promoting  public-private  partnerships  (MC . DEC/5/07 ) ; and  (3) 
crafting  a comprehensive  OSCE  approach  to  cyber  security 
(FSC. DEC/10/08) . 

17.  (SBU)  The  Estonian  Minister  of  Defense  Jaak  Aaviksoo 
called  cyber  security  an  "essential  and  demanding"  topic 
( FSC  . DEL/42 /09  ) . He  saw  the  OSCE  as  an  ideal  forum  for  this 
discussion  given  the  need  for  "security  and  cooperation  in 
Europe"  on  cyber  security  and  also  called  it  a "key  forum" 
for  discussing  a "true  21st  century  challenge."  Aaviksoo 
stressed  the  responsibility  of  pS  to  raise  awareness  and 
described  the  OSCE  as  a large  intergovernmental  organization 
with  a significant  role  to  play.  He  said  a dual  approach 
that  would  increase  cooperation  multilaterally  and  improve 
resilience  on  a national  basis  was  needed.  He  also  stressed 


the  need  for  States  to  create  the  national  legal  framework 
necessary  for  a comprehensive  cyber  security  program,  and  the 
need  for  national  Computer  Emergency  Response  Teams.  More 
evenly  regulated  national  cyber  environments,  he  said,  would 
contribute  to  a better  governed  international  space. 

Aaviksoo  also  applauded  the  Council  on  Europe  Convention  on 
Cybercrime  as  a great  framework  for  cooperation.  The  Czech 
Republic  (Reinohlova)  on  behalf  of  the  European  Union  said 
that  cyber  security  was  an  "important  precondition"  for 
defending  values. 


Session  1:  Threats  to  Cyber  security 


1[8 . (SBU)  The  first  session  addressed  attributes  and  common 
forms  of  cyber  attacks,  cyber  crime,  defensive  strategies  for 
threat  mitigation,  and  consequence  management  and 
remediation.  Keynote  speakers  were  Captain  H.N.  Dionisis 
Antonopolous , Director  Cyber  Defense  Directorate,  Hellenic 
National  Defense  General  Staff;  Vladislav  Sherstyuk,  Deputy 
Secretary  of  the  Security  Council  of  the  Russian  Federation; 
Michele  Markoff,  Acting  Director,  Office  of  Cyber  Affairs, 
Department  of  State;  and  Rytis  Rainys,  Head  of  Network  and 
Information  Security  Division  of  Lithuania.  The  panel  was 
moderated  by  Raphael  Perl  from  the  Office  of  the  OSCE 
Secretary  General,  Action  Against  Terrorism  Unit. 
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Don't  Forget  the  End-User 


11_9 . (SBU)  Antonopolous1  presentation,  The  Key  to  an  Effective 
Cyber  Defense  Strategy,  focused  on  the  human  factor  in  cyber 
security  ( FSC . DEL/38/09 ) . Due  to  the  nature  of  cyber  attacks 
the  end-user  often  becomes  an  unknowing  victim.  He  said  that 
most  public  and  private  entities  provide  high  level  training 
for  cyber  security  personnel,  but  it  can  never  be  enough.  He 
stressed  that  the  common  end-user  has  been  left  out  and  more 
education  for  individuals,  who  use  computers  daily  at  home 
and  work,  was  needed. 


Russians  Claim  New  Arms  Race  Unfolding 


11_10.  (SBU)  Sherstyuk 's  presentation,  Problems  of  Ensuring 
International  Information  Security,  made  attempts  to  assert 
that  an  "information  arms  race"  was  unfolding  internationally 
( FSC . DEL/22 /09 ) . He  stressed  the  need  for  collective  action 
to  prevent  the  "next  round  of  an  arms  race,"  claiming  that 
120  nations  had  "departments"  dealing  with  cyber  warfare. 
Sherstyuk  also  believed  that  it  was  especially  important  to 
draw  up  a universal  document  under  international  law  that 
acknowledged  the  existence  of  political-military  and  criminal 
threats,  including  terrorism,  to  "international  information 
security."  He  proposed  the  publication  of  a dictionary  of 
terms  "used  in  the  international  information  security  field." 

Sherstyuk  also  mentioned  that  an  international  conference  on 
cybercrime  jointly  sponsored  by  Russia  and  Germany  would  take 
place  on  April  18  in  Germany. 


U.S.  Focus  on  Defense 


11_11.  (SBU)  Markoff's  presentation,  U.S.  Views  on  National 
and  International  Approaches  to  Information  Network  Security, 
focused  on  securing  networks  through  layered  defenses  that 
are  effective  whatever  the  source  of  the  attack 
( FSC . DEL/40/09 /Rev. 1 ) . Markoff  explained  that  a national 
review  of  cyber  policy  currently  was  being  conducted  in 
Washington  and  without  prejudging  the  outcome  said  that  the 
U.S.  will  continue  actively  to  pursue  international 


collaboration  on  cyber  security  in  bilateral,  multilateral, 
and  international  venues.  The  U.S.  would  also  continue  to 
offer  its  detailed  views  of  those  steps  that  states, 
individually  and  collectively,  need  to  take  to  enhance  cyber 
security . 

11.12.  (SBU)  Markoff  said  that  cyber  security  was  not  inherently 
political-military  in  nature,  just  as  information  technology 
is  neither  inherently  civil  nor  military.  Therefore,  cyber 
security  was  a shared  responsibility  of  government,  industry, 
and  individual  citizens.  Markoff  demonstrated  that  the 
Russian  rep's  call  for  an  arms  control-like  convention  that 
would  ban  the  development  or  use  of  a wide  range  of 
information  technologies  was  not  helpful  or  effective  in 
addressing  the  security  threats  associated  with  this 
technology.  It  also  was  most  likely  unenforceable. 


Lithuania:  "Think  Globally,  Act  Locally" 


11_13.  (SBU)  Rainys 1 presentation.  Overview  of  Cyber-related 
Security  Incidents  in  2008,  stressed  that  cyber  attacks  were 
becoming  massive  and  well-organized.  He  stated  that  most 
cyber  attacks  were  motivated  by  financial  gain.  His  message 
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was  to  "think  globally,  act  locally."  Rainys  said  that  if 
each  nation  could  implement  an  incident  management  system 
that  would  keep  its  local  network  as  clean  as  possible,  this 
would,  in  turn,  enhance  the  security  of  global  networks. 
Rainys  stressed  that  defensive  activities  were  key.  He  said 
that  incident  management  work  by  CERT  groups  should  be 
enhanced,  technical  solutions  that  could  be  implemented  by 
network  providers  would  lead  to  better  protection  of 
end-users,  and  wider  cooperation  and  coordination  were 
important . 


Self-Survey  As  First  Step 


1.14.  (SBU)  In  response  to  questions  posed  by  the  audience, 
Markoff  suggested  that  the  OSCE  first  set  up  a "self-survey" 
in  order  to  know  the  gaps  and  capacities  among  OSCE  pS. 

Then,  Markoff  said,  the  OSCE  could  design  a program  where  the 
first  steps  would  be  to  develop  confidence  and  trust.  She 
also  indicated  that  this  could  include  identifying  points  of 
contact  for  the  first  responders  of  member  States.  Finland 
(Kangaste)  agreed  that  cyber  security  posed  challenges  to  all 
stakeholders  and  supported  defensive  measures  as  the  most 
concrete  way  for  dealing  with  cyber  attacks.  He  called  the 
Council  of  Europe  Convention  on  Cyber  Crime  "groundbreaking." 

He  also  echoed  the  U.S.  (Markoff)  point  about  the  need  to 
build  a "culture  of  cyber  security"  as  well  as  the  U.S. 
recommendation  for  a self-survey.  Kangaste  said  it  was 
important  to  ensure  that  the  rules  of  international 
humanitarian  law  apply  and  said  that  Sweden,  Switzerland,  and 
Finland  have  an  ongoing  joint  study  to  define  what  this  means 
for  cyber  space. 


U.S.  Upholds  Principles  of  Free  Speech 


11.15.  (SBU)  Cyprus  agreed  with  Rainys,  statement,  "think 
globally,  act  locally,"  but  reordered  the  priority  to  acting 
locally  and  collaborating  internationally.  The  Cyprus  rep 
stressed  the  need  for  a well-defined  plan  and  said  "perfect 
planning  prevents  pathetic  performance."  Azerbaijan 
(Jafarova)  noted  that  networks  should  not  be  used  for 
"racism,  terrorism,  or  other  phobias,  such  as  Islamaphobia . " 
Jafarova  spoke  about  the  potential  for  a state  to  develop 
propaganda  against  another  state  and  said  that  Azerbaijan  had 
found  websites  that  challenged  its  territorial  integrity  and 
sovereignty.  The  U.S.  (Markoff)  responded  that  while  we  may 


witness  speech  that  is  hostile  and  political  on  the  internet, 
it  remains  the  U.S.  position  that  one's  view  of  illegitimate 
speech  is  another's  legitimate  political  expression.  In 
upholding  the  right  of  free  speech,  Markoff  cautioned  against 
"regulating  content8  and  stressed  the  importance  of 
maintaining  the  principles  of  the  Universal  Declaration  of 
Human  Rights. 


Russia  Says  It's  Misunderstood;  Quotes  Castro 


1.16.  (SBU)  Georgia  ( Kvanchakhadze ) recalled  the  "most  serious 
attack  against  (their)  infrastructure"  in  August  2008  and 
questioned  who  would  be  the  main  international  body  to  fight 
state  sponsored  attacks.  The  U.S.  (Markoff)  stressed  that 
the  unique  attributes  of  this  technology  made  the  problem  of 
acting  against  perceived  perpetrators  very  difficult  and  that 
a better  understanding  of  the  technical  issues  in  the 
international  environment  was  essential  before  strategizing 
further.  Russia  (Krutskikh)  alleged  that  there  was  a problem 
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understanding  each  other  because  cyber  terms  had  not  been 
defined.  He  then  said  Russia  was  misunderstood  as  pushing 
for  "disarmament."  Krutskikh  said  we  should  use  the 
experience  we  have  already  acquired  but  we  should  be  sure  we 
were  targeting  the  right  problems,  such  as  crime,  terrorism, 
and  armed  attack.  He  quoted  Fidel  Castro,  who  said  "if  you 
devise  an  imaginary  enemy,  you  ignore  the  real  enemy  that 
exists . " 

1.17.  (SBU)  Antonopolous  tried  to  clarify  that  cyber  meant 
the  "space  where  we  are  when  we  are  talking  on  the  phone." 

In  other  words,  it  is  "the  non-visual  space  where  you  can 
apply  visual  actions."  The  U.S.  (Markoff)  responded  that 
Krutskikh 's  comments  seemed  to  imply  a change  in  the  Russian 
position  that  has  held  for  several  years  that  an  arms  control 
race  in  unfolding.  Markoff  said  that  the  Russian  position 
had  been  to  establish  boundaries  of  sovereignty  in  cyber 
space,  but  if  that  had  changed,  the  U.S.  would  welcome 
hearing  more  details. 


Session  2:  Government  Options 


1.18.  (U)  The  second  session  addressed  national  and 

international  good  practices  and  legal  frameworks  and  their 
use  to  develop  policy  options  for  governments.  Michele 
Markoff  was  the  moderator.  Keynote  speakers  included  John 
Denning,  Director  for  External  Affairs  in  the  Office  of  Cyber 
security  and  Communications,  Department  of  Homeland  Security; 
Patrick  Pailloux,  Director  of  Information  Security,  French 
General-Secretariat  for  National  Defense;  and,  Andrea 
Servida,  Directorate  General  Information  Society  of  the 
European  Commission. 


U.S.  Describes  Cybersecurity  Culture 


1.19.  (SBU)  Denning  (Department  of  Homeland  Security)  called 
for  the  construction  of  a culture  of  cyber  security  based  on 
shared  responsibility  ( FSC . DEL/44 /09 /Add . 1 ) . Denning 
described  the  key  elements  of  a viable  cyber  security  program 
as:  development  of  national  strategy;  collaboration  between 
national  governments  and  industry;  deterrence  of  cybercrime; 
creation  of  national  incident  management  capabilities;  and 
promotion  of  a national  culture  of  cyber  security. 

1.2  0.  (SBU)  Denning  said  governments  must  provide  an  example 

of  good  cyber  security  practices  in  their  outreach  to  the 
private  sector.  He  noted  that  government  efforts  are 
inherently  multi-agency  and,  in  the  U.S.,  include  federal, 
state,  and  local  officials.  His  own  agency,  Homeland 


Security,  had  developed  a National  Infrastructure  Protection 
Plan  that  relied  on  close  relationships  between  the 
government  and  key  sectors  of  the  critical  infrastructure. 
Inculcating  cyber  security  awareness  in  all  parts  of  the 
society  will  require  constant  awareness  raising  and  education. 


French  National  Responses 


1121.  (SBU)  Pailloux  said  that  much  thinking  in  the  French 
government  on  cyber  security  was  captured  in  its  recent  white 
paper  on  defense  ( FSC . DEL/45/09 ) . France,  noting  the  2007 
attack  on  Estonia,  estimates  a high  probability  of  cyber 
attack  as  the  technology  required  is  readily  available  to 
many  and  can  be  employed  with  minimal  risk  to  the  attacker. 

He  noted  that  critical  infrastructures  worldwide  increasingly 
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depend  on  information  technology  for  effective  functioning, 
increasing  the  risk  cyber  attacks  could  seriously  impede 
delivery  of  vital  services  to  citizens.  Pailloux  praised  the 
FSC  workshop  as  a necessary  effort  to  raise  awareness  of  the 
threats  to  cyber  security.  Also  needed  was  international 
agreement  on  a minimum  level  of  rules  and  good  practices  that 
system  operaters  need  to  follow.  He  also  stressed  that 
security  requirements  should  not  hamper  innovation  and  rapid 
technology  development  in  the  IT  industry,  and  said  that 
international  cooperation  is  essential  to  deter  and  prosecute 
cybercrime.  He  said  that  the  EU  must  take  steps  to  protect 
its  critical  information  infrastructure,  as  it  protects  its 
other  critical  infrastructures.  The  French  government  CERT, 
which  Pailloux  heads,  was  able  to  close  down  over  2,000 
phishing  sites  with  the  help  of  its  international  partners. 


EU  Policy  Initiatives 


112  2.  (SBU)  Andrea  Servida  described  ongoing  EU  efforts  to 

enhance  cyber  security  in  the  EU 1 s Member  States  and 
institutions.  While  EU  executive  agencies  like  the  European 
Network  and  Information  Security  Agency  are  raising  awareness 
and  fostering  dialogue  with  industry,  there  was  also  a need 
for  greater  public  participation  in  shaping  an  enhanced 
European  policy  on  network  and  information  security.  The 
Commission  launched  an  on-line  public  consultation  in  2008  to 
which  academics,  industry  experts,  and  private  citizens  have 
contributed. 

1.2  3.  (SBU)  Noting  the  increasing  number  and  severity  of 
cyber  attacks  and  their  costs  to  national  and  regional 
economies,  Servida  said  the  Commission  had  several  policy 
initiatives  designed  to  ensure  the  protection  and  survival  of 
European  Critical  Information  Infrastructure.  These  would  be 
based  on  both  government  and  private  sector  programs  and 
would  protect  against  all  threats.  Next  steps  include  an 
informal  ministerial  meeting  on  critical  information 
infrastructure  protection  (CUP)  in  Tallinn  in  late  April. 

He  noted  that  while  there  are  150  CERTs  in  the  EU,  only  15 
are  national-level,  of  which  seven  have  standard  operating 
language  to  communicate  with  each  other. 

1.24.  (SBU)  Italy  (Somma),  in  response,  described  briefly  its 
MOD  cyber  defense  organization  and  highlights  of  a recent 
cyber  exercise  ("CYBER  SHOT")  that  involved  all  the  military 
services,  including  the  Carabinieri  or  national  police,  and 
representatives  of  civilian  government  agencies  and  critical 
information  infrastructure.  Somma  spoke  of  the  importance  of 
setting  up  a clear  command  structure  for  dealing  with 
incidents  as  they  occur,  and  situational  awareness  of  the 
state  of  network  defenses.  Another  exercise  is  planned  in 
November  in  conjunction  with  a NATO  cyber  event.  The  Arab 
League  (Wehbe)  said  it  was  taking  steps  to  follow  UN 
measures . Wehbe  pointed  out  that  the  Arab  countries  were 
trying  to  combat  terrorist  use  of  the  internet  while 


maintaining  respect  for  human  rights. 


Meridian  Process:  Connecting  Policymakers 


T25 . (SBU)  The  UK  (Burnett)  described  the  Meridian  Process, 
which  began  in  2005  with  the  support  of  the  EU  and  G8  for 
policymakers  involved  in  CUP.  Burnett  noted  that  the 
Meridian  Process  is  an  annual  conference,  with  a rotating 
presidency,  open  to  any  country  that  wants  to  join.  It  had 
been  deemed  successful  by  participants.  The  presidency  was 
held  by  the  UK  (2005),  Hungary  (2006),  Sweden  (2007), 
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Singapore  (2008),  this  year  (November)  by  the  U.S.,  and  in 
2010  by  Taiwan.  The  theme  of  Meridian  is  "connecting  and 
protecting, " and  identify  points  of  contacts  between 
participants.  Burnett  stressed  the  conference  was  meant  for 
policymakers,  not  CERT  professionals  or  technical  experts. 

11_26.  (U)  This  cable  has  been  cleared  by  INR/CCT  Markoff; 

OSD/NII;  and,  OSD/P. 

NEIGHBOUR 


